Bug#317642: [Logcheck-devel] Bug#317642: How to debug logcheck?

Mon Jul 11 11:55:44 UTC 2005

On Sun, 10 Jul 2005, Rainer Zocholl wrote:

> Hello
> 
> i change the rules but logcheck seems to ignore them
> 
> One example:
> 
> REPORTLEVEL="server"
> 
> logcheck send mails containing:
> 
> Security Events
> =-=-=-=-=-=-=-=
> Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
> Jul  9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
> 
> 
> i don't want to see those messages (currently)
> 
> So i added a new rule to ipopd-ssl
> 
> [20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH * 
> ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*.dip0.t-ipconnect.de \[84\.141\..*\]
> logcheck.dpkg-old:authsrv.*AUTHENTICATE
> 
> (BTW: Wouldn't it be better to add an entire new file?)

yes add your local-packagename file.

> If i test the rule file with that:
> 
> /etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog
> 
> i exactly get the lines i don't want to see in logcheck output, 
> so i assume that rule is OK.
> 
> As there is the "magical" word "failure" i have to add that rule to
> violations.ignore too, or?
> 
> [20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH * logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\]
> 
> 
> /etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog
> gves
> Jul  9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure 
> host=p548D1585.dip0.t-ipconnect.de [84.141.21.133]
> 
> 
> So i assume the rules are right, or?

i wouldn't recommend aboves rule for upstream inclusion,
but they look right.

> But why are they ignored by logcheck?
did you check the permissions of the file you added/changed.
ls -l /etc/logcheck/ignore.d.server/ssh
-rw-r-----  1 root logcheck 1165 2005-04-03 01:00 /etc/logcheck/ignore.d.server/ssh

maybe your umask is too restrictive and aboves file can't be read
by logcheck? please post the output of 
ls -l /etc/logcheck/violations.ignore.d/logcheck-ipop3

> I meanwhile have the feeling that logcheck is using entire 
> other rule files than i edit (box root kitted?)
> Is there a way to debug logcheck?
> "-d" seems to give only a hints to program flow but 
> seems to be only a "one shot" so i can't debug the rules effective.

would be cool to see if aboves rule is mentioned in the debug hints.
did you check?

> Isn't there somewhere a tool (bayes?) where i can feed the
> "unwanted" lines to which in future are ignored by logcheck?
> (Like "tiger" does which only reports changes/new lines)
> Currently the "optimization" of the rule set took several weeks(!)
> as i have to wait hours to veryfy the trivialest change.

why? just invoke it from the commandline.
if you have sudo installed
sudo -u logcheck logcheck [options]
for example
sudo -u logcheck logcheck -t -o -d

else if you don't have sudo installed
su -s /bin/bash -c \"/usr/sbin/logcheck [options]\" logcheck

> What's the intended way to debug rules sets?
> 
> Why does the "egrep" trick can't be used to verify the rules?
> (What is logcheck adding to the rules to make them fail?)
> 
> How can i verify which rules files logcheck really uses?
run debug.

> Where are the used rules (files that contens) logged?
not atm.

> How can i run "logcheck" repetely to debug?
see aboves.

i will add some examples to current manpage.

--
maks